Artifact Registry Service Agent
The Artifact Registry Service Agent acts on behalf of
Artifact Registry when interacting with Trusted Cloud by S3NS services.
After you create the first Artifact Registry repository in a
Trusted Cloud project, the Artifact Registry Service Agent
is automatically created. The service agent identifier is:
service-PROJECT-NUMBER@gcp-sa-artifactregistry.s3ns-system.iam.gserviceaccount.com
PROJECT-NUMBER is the project number of the
Trusted Cloud project where Artifact Registry is running.
You can manually create the service account in a project without any
repositories with the command:
gcloud beta services identity create \
--service=artifactregistry.s3nsapis.fr \
--project=PROJECT-ID
Replace PROJECT-ID
with the Trusted Cloud project ID.
The Artifact Registry Service Agent is granted the Artifact Registry
Service Agent role (roles/artifactregistry.serviceAgent
) for resources in the
project. To enforce the security principle of least privilege, the role only
has the minimum required permissions:
- Publish Pub/Sub topics:
pubsub.topics.publish
- Download artifacts from Artifact Registry repositories:
artifactregistry.repositories.downloadArtifacts
- Delete artifacts:
artifactregistry.versions.delete
What's next
Learn about
Artifact Registry roles and configuring access to repositories.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-07 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eThe Artifact Registry Service Agent operates on behalf of Artifact Registry when interacting with other Google Cloud services.\u003c/p\u003e\n"],["\u003cp\u003eThis service agent is automatically generated upon the creation of the first Artifact Registry repository within a Google Cloud project.\u003c/p\u003e\n"],["\u003cp\u003eThe service agent's identifier is \u003ccode\u003eservice-PROJECT-NUMBER@gcp-sa-artifactregistry.iam.gserviceaccount.com\u003c/code\u003e, where PROJECT-NUMBER represents the project number.\u003c/p\u003e\n"],["\u003cp\u003eThe service agent is granted the Artifact Registry Service Agent role, which includes permissions for publishing Pub/Sub topics, downloading artifacts, and deleting artifacts.\u003c/p\u003e\n"],["\u003cp\u003eYou can manually create the service agent in projects without any repositories using the provided \u003ccode\u003egcloud\u003c/code\u003e command.\u003c/p\u003e\n"]]],[],null,[]]